Bug#924050: poppler-utils: pdfsig segfaults on signed PDF

Bernhard √úbelacker bernhardu at mailbox.org
Fri Mar 22 22:46:58 GMT 2019


Control: tags 924050 + upstream fixed-upstream patch


Dear Maintainer,
I tried to reproduce this crash, and received one with
this example file [1].
But due to the lack of the submitters original
file, this crash might be different.

However, following crash got already fixed upstream [2][3]
and released in poppler 0.72.0.

The upstream patch needed slight modification.
An poppler package built with that patch shows the
signature information successfully.

Kind regards,
Bernhard


[1] https://blogs.adobe.com/security/SampleSignedPDFDocument.pdf
[2] https://gitlab.freedesktop.org/poppler/poppler/issues/669
[3] https://gitlab.freedesktop.org/poppler/poppler/commit/a85c2ed8f4359341adb94887c4b551a761244fdb


(gdb) bt
#0  0x00007f33db0d1c84 in SECMOD_ReferenceModule (module=0x0) at pk11util.c:847
#1  0x00007f33db0d21fc in SECMOD_AddModule (newModule=0x5648cf9cdd40) at pk11util.c:541
#2  SECMOD_AddModule (newModule=0x5648cf9cdd40) at pk11util.c:519
#3  0x00007f33db0d22a0 in SECMOD_AddNewModuleEx (moduleName=0x7f33dbcfce7d "Root Certs", dllPath=0x7f33dbcfce6f "libnssckbi.so", defaultMechanismFlags=0, cipherEnableFlags=0, modparms=<optimized out>, nssparms=<optimized out>) at pk11util.c:695
#4  0x00007f33dbcb1199 in SignatureHandler::SignatureHandler (this=0x7ffe927d1830, p7=0x5648cf9bed80 "0\202&\341\006\t*\206H\206\367\r\001\a\002\240\202&\322\060\202&\316\002\001\001\061\v0\t\006\005+\016\003\002\032\005", p7_length=10971) at ./poppler/SignatureHandler.cc:136
#5  0x00007f33dbbabb16 in FormFieldSignature::validateSignature (forceRevalidation=<optimized out>, validationTime=-1, doVerifyCert=true, this=0x5648cf99b7f0) at ./poppler/Form.cc:1722
#6  FormFieldSignature::validateSignature (this=0x5648cf99b7f0, doVerifyCert=<optimized out>, forceRevalidation=<optimized out>, validationTime=-1) at ./poppler/Form.cc:1689
#7  0x00005648ceee7a5d in main (argc=<optimized out>, argv=<optimized out>) at /usr/include/c++/8/bits/stl_vector.h:979
-------------- next part --------------
A non-text attachment was scrubbed...
Name: a85c2ed8f4359341adb94887c4b551a761244fdb-adapted-to-debian.patch
Type: text/x-patch
Size: 1432 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-freedesktop-maintainers/attachments/20190322/06198303/attachment-0001.bin>
-------------- next part --------------

# Buster amd64 qemu VM 2019-03-22

apt update
apt dist-upgrade


apt install dpkg-dev devscripts systemd-coredump poppler-utils gdb poppler-utils-dbgsym libpoppler82-dbgsym libnss3-dbgsym mc
apt build-dep poppler



wget https://blogs.adobe.com/security/SampleSignedPDFDocument.pdf

/usr/bin/pdfsig SampleSignedPDFDocument.pdf





mkdir /tmp/source/libnss3/orig -p
cd    /tmp/source/libnss3/orig
apt source libnss3
cd



mkdir /tmp/source/poppler/orig -p
cd    /tmp/source/poppler/orig
apt source poppler
cd



set width 0
set pagination off
directory /tmp/source/libnss3/orig/nss-3.42.1/nss/lib/pk11wrap
bt


##########


benutzer at debian:~$ /usr/bin/pdfsig SampleSignedPDFDocument.pdf
Digital Signature Info of: SampleSignedPDFDocument.pdf
Internal Error (0): couldn't find default Firefox Folder
Speicherzugriffsfehler (Speicherabzug geschrieben)



[  168.783249] pdfsig[14900]: segfault at 38 ip 00007f33db0d1c84 sp 00007ffe927d1750 error 4 in libnss3.so[7f33db08c000+f0000]
[  168.783259] Code: b2 a5 fb ff 48 85 c0 74 0f 48 c7 00 00 00 00 00 48 c7 40 08 00 00 00 00 48 83 c4 08 c3 66 0f 1f 84 00 00 00 00 00 53 48 89 fb <48> 8b 7f 38 e8 f3 bb fb ff 83 43 40 01 48 8b 7b 38 e8 66 c9 fb ff



root at debian:~# coredumpctl list
TIME                            PID   UID   GID SIG COREFILE  EXE
Fri 2019-03-22 22:50:23 CET   14900  1000  1000  11 present   /usr/bin/pdfsig



root at debian:~# coredumpctl gdb 14900
           PID: 14900 (pdfsig)
           UID: 1000 (benutzer)
           GID: 1000 (benutzer)
        Signal: 11 (SEGV)
     Timestamp: Fri 2019-03-22 22:50:23 CET (1min 41s ago)
  Command Line: /usr/bin/pdfsig SampleSignedPDFDocument.pdf
    Executable: /usr/bin/pdfsig
 Control Group: /user.slice/user-1000.slice/session-3.scope
          Unit: session-3.scope
         Slice: user-1000.slice
       Session: 3
     Owner UID: 1000 (benutzer)
       Boot ID: 50d2a12e8a2f4f90a67993fe31495b4b
    Machine ID: 32f43b50ac8c4b21941bc0b02f8e7811
      Hostname: debian
       Storage: /var/lib/systemd/coredump/core.pdfsig.1000.50d2a12e8a2f4f90a67993fe31495b4b.14900.1553291423000000.lz4
       Message: Process 14900 (pdfsig) of user 1000 dumped core.
                
                Stack trace of thread 14900:
                #0  0x00007f33db0d1c84 SECMOD_ReferenceModule (libnss3.so)
                #1  0x00007f33db0d21fc n/a (libnss3.so)
                #2  0x00007f33db0d22a0 SECMOD_AddNewModuleEx (libnss3.so)
                #3  0x00007f33dbcb1199 _ZN16SignatureHandlerC2EPhi (libpoppler.so.82)
                #4  0x00007f33dbbabb16 _ZN18FormFieldSignature17validateSignatureEbbl (libpoppler.so.82)
                #5  0x00005648ceee7a5d main (pdfsig)
                #6  0x00007f33db77009b __libc_start_main (libc.so.6)
                #7  0x00005648ceee7f4a _start (pdfsig)

GNU gdb (Debian 8.2.1-2) 8.2.1
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/bin/pdfsig...(no debugging symbols found)...done.
[New LWP 14900]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `/usr/bin/pdfsig SampleSignedPDFDocument.pdf'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007f33db0d1c84 in SECMOD_ReferenceModule () from /usr/lib/x86_64-linux-gnu/libnss3.so


(gdb) bt
#0  0x00007f33db0d1c84 in SECMOD_ReferenceModule () from /usr/lib/x86_64-linux-gnu/libnss3.so
#1  0x00007f33db0d21fc in ?? () from /usr/lib/x86_64-linux-gnu/libnss3.so
#2  0x00007f33db0d22a0 in SECMOD_AddNewModuleEx () from /usr/lib/x86_64-linux-gnu/libnss3.so
#3  0x00007f33dbcb1199 in SignatureHandler::SignatureHandler(unsigned char*, int) () from /usr/lib/x86_64-linux-gnu/libpoppler.so.82
#4  0x00007f33dbbabb16 in FormFieldSignature::validateSignature(bool, bool, long) () from /usr/lib/x86_64-linux-gnu/libpoppler.so.82
#5  0x00005648ceee7a5d in main ()




root at debian:~# dpkg -S /usr/lib/x86_64-linux-gnu/libpoppler.so.82
libpoppler82:amd64: /usr/lib/x86_64-linux-gnu/libpoppler.so.82
root at debian:~# dpkg -S /usr/lib/x86_64-linux-gnu/libnss3.so
libnss3:amd64: /usr/lib/x86_64-linux-gnu/libnss3.so



Core was generated by `/usr/bin/pdfsig SampleSignedPDFDocument.pdf'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007f33db0d1c84 in SECMOD_ReferenceModule (module=0x0) at pk11util.c:847
847     pk11util.c: Datei oder Verzeichnis nicht gefunden.
(gdb) set width 0
(gdb) set pagination off
(gdb) directory /tmp/source/libnss3/orig/nss-3.42.1/nss/lib/pk11wrap
Source directories searched: /tmp/source/libnss3/orig/nss-3.42.1/nss/lib/pk11wrap:$cdir:$cwd
(gdb) bt
#0  0x00007f33db0d1c84 in SECMOD_ReferenceModule (module=0x0) at pk11util.c:847
#1  0x00007f33db0d21fc in SECMOD_AddModule (newModule=0x5648cf9cdd40) at pk11util.c:541
#2  SECMOD_AddModule (newModule=0x5648cf9cdd40) at pk11util.c:519
#3  0x00007f33db0d22a0 in SECMOD_AddNewModuleEx (moduleName=0x7f33dbcfce7d "Root Certs", dllPath=0x7f33dbcfce6f "libnssckbi.so", defaultMechanismFlags=0, cipherEnableFlags=0, modparms=<optimized out>, nssparms=<optimized out>) at pk11util.c:695
#4  0x00007f33dbcb1199 in SignatureHandler::SignatureHandler (this=0x7ffe927d1830, p7=0x5648cf9bed80 "0\202&\341\006\t*\206H\206\367\r\001\a\002\240\202&\322\060\202&\316\002\001\001\061\v0\t\006\005+\016\003\002\032\005", p7_length=10971) at ./poppler/SignatureHandler.cc:136
#5  0x00007f33dbbabb16 in FormFieldSignature::validateSignature (forceRevalidation=<optimized out>, validationTime=-1, doVerifyCert=true, this=0x5648cf99b7f0) at ./poppler/Form.cc:1722
#6  FormFieldSignature::validateSignature (this=0x5648cf99b7f0, doVerifyCert=<optimized out>, forceRevalidation=<optimized out>, validationTime=-1) at ./poppler/Form.cc:1689
#7  0x00005648ceee7a5d in main (argc=<optimized out>, argv=<optimized out>) at /usr/include/c++/8/bits/stl_vector.h:979



(gdb) bt full
#0  0x00007f33db0d1c84 in SECMOD_ReferenceModule (module=0x0) at pk11util.c:847
No locals.
#1  0x00007f33db0d21fc in SECMOD_AddModule (newModule=0x5648cf9cdd40) at pk11util.c:541
        rv = SECSuccess
        oldModule = <optimized out>
        rv = <optimized out>
        oldModule = <optimized out>
#2  SECMOD_AddModule (newModule=0x5648cf9cdd40) at pk11util.c:519
        rv = <optimized out>
        oldModule = <optimized out>
#3  0x00007f33db0d22a0 in SECMOD_AddNewModuleEx (moduleName=0x7f33dbcfce7d "Root Certs", dllPath=0x7f33dbcfce6f "libnssckbi.so", defaultMechanismFlags=0, cipherEnableFlags=0, modparms=<optimized out>, nssparms=<optimized out>) at pk11util.c:695
        module = 0x5648cf9cdd40
        result = SECFailure
        s = <optimized out>
        i = <optimized out>
        slot = <optimized out>
#4  0x00007f33dbcb1199 in SignatureHandler::SignatureHandler (this=0x7ffe927d1830, p7=0x5648cf9bed80 "0\202&\341\006\t*\206H\206\367\r\001\a\002\240\202&\322\060\202&\316\002\001\001\061\v0\t\006\005+\016\003\002\032\005", p7_length=10971) at ./poppler/SignatureHandler.cc:136
No locals.
#5  0x00007f33dbbabb16 in FormFieldSignature::validateSignature (forceRevalidation=<optimized out>, validationTime=-1, doVerifyCert=true, this=0x5648cf99b7f0) at ./poppler/Form.cc:1722
        arrayLen = 4
        sig_val_state = <optimized out>
        cert_val_state = <optimized out>
        signature_handler = {hash_length = 3483022560, CMSitem = {type = 2457671968, data = 0x2 <error: Cannot access memory at address 0x2>, len = 3482956816}, hash_context = 0x0, CMSMessage = 0x0, CMSSignedData = 0x0, CMSSignerInfo = 0x0, temp_certs = 0x0}
        fileLength = <optimized out>
        signature_len = 10971
        signatureuchar = <optimized out>
        arrayLen = <optimized out>
        sig_val_state = <optimized out>
        cert_val_state = <optimized out>
        signature_len = <optimized out>
        signatureuchar = <optimized out>
        signature_handler = <optimized out>
        fileLength = <optimized out>
        i = <optimized out>
        offsetObj = <optimized out>
        lenObj = <optimized out>
        offset = <optimized out>
        len = <optimized out>
#6  FormFieldSignature::validateSignature (this=0x5648cf99b7f0, doVerifyCert=<optimized out>, forceRevalidation=<optimized out>, validationTime=-1) at ./poppler/Form.cc:1689
        arrayLen = <optimized out>
        sig_val_state = <optimized out>
        cert_val_state = <optimized out>
        signature_len = <optimized out>
        signatureuchar = <optimized out>
        signature_handler = <optimized out>
        fileLength = <optimized out>
        i = <optimized out>
        offsetObj = <optimized out>
        lenObj = <optimized out>
        offset = <optimized out>
        len = <optimized out>
#7  0x00005648ceee7a5d in main (argc=<optimized out>, argv=<optimized out>) at /usr/include/c++/8/bits/stl_vector.h:979
        ranges = std::vector of length 1, capacity 1 = {94870720603936}
        i = 0
        doc = 0x5648cf99b410
        sigCount = 1
        fileName = 0x5648cf99b360
        sig_info = <optimized out>
        time_str = <optimized out>
        sig_widgets = Python Exception <class 'gdb.error'> value has been optimized out: 

        win32Console = <optimized out>
        exitCode = 99
        ok = <optimized out>



(gdb) down
#0  0x00007f33db0d1c84 in SECMOD_ReferenceModule (module=0x0) at pk11util.c:847
847         PZ_Lock(module->refLock);

(gdb) list pk11util.c:841,848
841     /*
842      * make a new reference to a module so It doesn't go away on us
843      */
844     SECMODModule *
845     SECMOD_ReferenceModule(SECMODModule *module)
846     {
847         PZ_Lock(module->refLock);                                <<<<<<<<<<
848         PORT_Assert(module->refCount > 0);

(gdb) print module
$1 = (SECMODModule *) 0x0





(gdb) up
#1  0x00007f33db0d21fc in SECMOD_AddModule (newModule=0x5648cf9cdd40) at pk11util.c:541
541             newModule->parent = SECMOD_ReferenceModule(defaultDBModule);

(gdb) list pk11util.c:518,542
518     SECStatus
519     SECMOD_AddModule(SECMODModule *newModule)
520     {
521         SECStatus rv;
522         SECMODModule *oldModule;
523
524         /* Test if a module w/ the same name already exists */
525         /* and return SECWouldBlock if so. */
526         /* We should probably add a new return value such as */
527         /* SECDublicateModule, but to minimize ripples, I'll */
528         /* give SECWouldBlock a new meaning */
529         if ((oldModule = SECMOD_FindModule(newModule->commonName)) != NULL) {
530             SECMOD_DestroyModule(oldModule);
531             return SECWouldBlock;
532             /* module already exists. */
533         }
534
535         rv = secmod_LoadPKCS11Module(newModule, NULL);
536         if (rv != SECSuccess) {
537             return rv;
538         }
539
540         if (newModule->parent == NULL) {
541             newModule->parent = SECMOD_ReferenceModule(defaultDBModule);                  <<<<<<<<<<<
542         }

(gdb) print defaultDBModule
$2 = (SECMODModule *) 0x0





root at debian:~# dpkg -l | grep poppler
ii  libpoppler82:amd64               0.71.0-3                    amd64        PDF rendering library
ii  libpoppler82-dbgsym:amd64        0.71.0-3                    amd64        debug symbols for libpoppler82
ii  poppler-data                     0.4.9-2                     all          encoding data for the poppler PDF rendering library
ii  poppler-utils                    0.71.0-3                    amd64        PDF utilities (based on Poppler)
ii  poppler-utils-dbgsym             0.71.0-3                    amd64        debug symbols for poppler-utils

root at debian:~# dpkg -l | grep nss3
ii  libnss3:amd64                    2:3.42.1-1                  amd64        Network Security Service libraries
ii  libnss3-dbgsym                   2:3.42.1-1                  amd64        debug symbols for libnss3





####################





https://gitlab.freedesktop.org/poppler/poppler/issues/669

https://gitlab.freedesktop.org/poppler/poppler/commit/a85c2ed8f4359341adb94887c4b551a761244fdb


cd /tmp/source/poppler
cp -a orig try1
cd try1/poppler-0.71.0
wget https://gitlab.freedesktop.org/poppler/poppler/commit/a85c2ed8f4359341adb94887c4b551a761244fdb.patch -O ../a85c2ed8f4359341adb94887c4b551a761244fdb.patch
patch -p1 --dry-run < ../a85c2ed8f4359341adb94887c4b551a761244fdb.patch 
        #checking file poppler/SignatureHandler.cc
        #Hunk #1 FAILED at 114.
        #1 out of 1 hunk FAILED
git init
git add .
git commit -m "Initial commit"
        
        

benutzer at debian:/tmp/source/poppler/try1/poppler-0.71.0$ cat ../a85c2ed8f4359341adb94887c4b551a761244fdb.patch
From a85c2ed8f4359341adb94887c4b551a761244fdb Mon Sep 17 00:00:00 2001
From: Albert Astals Cid <aacid at kde.org>
Date: Sat, 17 Nov 2018 19:29:16 +0100
Subject: [PATCH] Be more stubborn looking for a nssdb

Fixes issue #669
---
 poppler/SignatureHandler.cc | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/poppler/SignatureHandler.cc b/poppler/SignatureHandler.cc
index aedccf7a..6c510229 100644
--- a/poppler/SignatureHandler.cc
+++ b/poppler/SignatureHandler.cc
@@ -114,10 +114,19 @@ GooString *SignatureHandler::getDefaultFirefoxCertDB_Linux()
 void SignatureHandler::init_nss() 
 {
   GooString *certDBPath = getDefaultFirefoxCertDB_Linux();
+  bool initSuccess = false;
   if (certDBPath == nullptr) {
-    NSS_Init("sql:/etc/pki/nssdb");
+    initSuccess = (NSS_Init("sql:/etc/pki/nssdb") == SECSuccess);
   } else {
-    NSS_Init(certDBPath->c_str());
+    initSuccess = (NSS_Init(certDBPath->c_str()) == SECSuccess);
+  }
+  if (!initSuccess) {
+    GooString homeNssDb(getenv("HOME"));
+    homeNssDb.append("/.pki/nssdb");
+    initSuccess = (NSS_Init(homeNssDb.c_str()) == SECSuccess);
+    if (!initSuccess) {
+      NSS_NoDB_Init(nullptr);
+    }
   }
   //Make sure NSS root certificates module is loaded
   SECMOD_AddNewModule("Root Certs", "libnssckbi.so", 0, 0);
-- 
2.18.1

benutzer at debian:/tmp/source/poppler/try1/poppler-0.71.0$ grep "void SignatureHandler::init_nss" poppler/SignatureHandler.cc -A15 -n
114:void SignatureHandler::init_nss() 
115-{
116-  GooString *certDBPath = getDefaultFirefoxCertDB_Linux();
117-  if (certDBPath == nullptr) {
118-    NSS_Init("sql:/etc/pki/nssdb");
119-  } else {
120-    NSS_Init(certDBPath->getCString());
121-  }
122-  //Make sure NSS root certificates module is loaded
123-  SECMOD_AddNewModule("Root Certs", "libnssckbi.so", 0, 0);
124-
125-  delete certDBPath;
126-}
127-


# merge patch


git add poppler/SignatureHandler.cc
git commit -m "a85c2ed8f4359341adb94887c4b551a761244fdb merged"
git format-patch -o .. -1

dpkg-buildpackage -b


dpkg -i /tmp/source/poppler/try1/{libpoppler82,libpoppler82-dbgsym,poppler-utils,poppler-utils-dbgsym}_0.71.0-3_amd64.deb



benutzer at debian:~$ /usr/bin/pdfsig SampleSignedPDFDocument.pdf
Digital Signature Info of: SampleSignedPDFDocument.pdf
Internal Error (0): couldn't find default Firefox Folder
Signature #1:
  - Signer Certificate Common Name: John B Harris
  - Signer full Distinguished Name: E=jbharris at adobe.com,CN=John B Harris,O=Adobe Systems Incorporated,L=San Jose,ST=CA,C=US
  - Signing Time: Jul 16 2009 16:47:47
  - Signing Hash Algorithm: SHA1
  - Signature Type: adbe.pkcs7.detached
  - Signed Ranges: [0 - 227012], [248956 - 272318]
  - Total document signed
  - Signature Validation: Signature is Valid.
  - Certificate Validation: Certificate has Expired




More information about the Pkg-freedesktop-maintainers mailing list